Constrained Delegation with certificate and GSS API

Puran Chand puran157 at
Wed May 6 00:25:25 EDT 2020


I see 'gss_acquire_cred_impersonate_name' should be used to obtain
impersonation token on behalf of user and the API expects
User-Principal-Name 'gss_name_t' as input to identify the user.

I was wondering if there is similar API to perform same with
user-certificate this time instead of UPN.
I hope it should send a AS-REQ with  PA-DATA P4-S4U-X509-USER with
certificate (with my limited knowledge).

If there isn't any API, I would be happy to work upon this.

Let me know where to start.


More information about the krbdev mailing list